On Mercredi, mars 26, 2003, at 22:18 Europe/Zurich, John Hardin wrote:
> On Wed, 2003-03-26 at 09:12, Paul Chambers wrote:
>> I would be very interested to see the percentages of the different
>> scanners, worms, etc. active out there, which isn't always obvious
>> from
>> the target port alone.
>> That's what I'm aiming for, too.
>
Would it be possible to just get a rough idea, what the top scans are?
I just drop everything at the FW for the time being, and normally my
top ports are 137, 80, 445, and then all the others, mostly PC
riff-raff, which I don't really care about (hardly use my PC, and XP
just stopped booting), so the usual 80, 8080 port scans are what
interest me at least marginally.
I did use the following script to have a quick look at our Netscape
Logs:
#!/usr/bin/perl
$file=shift || '/usr/netscape/server4/https-www.foo.com/logs/access';
open IN, $file or die "Cannot open file $file :$!\n";
while (<IN>) {
if (/^(\S+) \S+ \S+ \[(\S+) [\-\+]\d\d\d\d\] "GET
\/default.ida\?(\w)/) {
if ($3 eq 'N') { $c="CodeRed" }
elsif ($3 eq "X") { $c="CodeRedII" }
else { $c="unknown $3" }
print "$2 $1 $c\n";
}
elsif (/^(\S+) \S+ \S+ \[(\S+) \-\d{4}\] "GET
\/scripts\/\.\.\%\%35c\.\.\/winnt\/system32\/cmd\.exe\?\/c\+dir/) {
print "$2 $1 Nimda\n";
}
}